search

awslabs / rds-snapshot-tool

The Snapshot Tool for Amazon RDS automates the task of creating manual snapshots, copying them into a different account and a different region, and deleting them after a specified number of days
Apache License 2.0
341 stars 146 forks source link

Shared snapshot copy uses source KMS not destination KMS #60

Open ghost opened 4 years ago

ghost commented 4 years ago

I've just deployed the stacks in Source and Destination AWS accounts (separate accounts) and configured with KmsKeyDestination and KmsKeySource CMKs. Region in both accounts is eu-west-1.

I am surprised to see that the resultant local snapshot "copies" in the external (destination) account are encrypted with the KmsKeySource and haven't been re-encrypted with my specified KmsKeyDestination.

If I manually copy a shared snapshot I am able to specify the local CMK instead and the copy successfully uses it.

Anything I am missing? What should I look for? Anything I can try?

Thanks!

Karl

ghost commented 4 years ago

I did a bit of digging and altered the code in copy_local() to use _KMS_KEY_DEST_REGION in place of _KMS_KEY_SOURCE_REGION and I now get what I want/expect. It can't be this obvious though right?

def copy_local(snapshot_identifier, snapshot_object):
    client = boto3.client('rds', region_name=_REGION)

    tags = [{
            'Key': 'CopiedBy',
            'Value': 'Snapshot Tool for RDS'
        }]

    if snapshot_object['Encrypted']:
        logger.info('Copying encrypted snapshot %s locally' % snapshot_identifier)
        response = client.copy_db_snapshot(
            SourceDBSnapshotIdentifier = snapshot_object['Arn'],
            TargetDBSnapshotIdentifier = snapshot_identifier,
            KmsKeyId = _KMS_KEY_DEST_REGION, #_KMS_KEY_SOURCE_REGION,
            Tags = tags)
mrcoronel commented 4 years ago

Hi Karl, I see what you mean... I suppose the behaviour should be different whether you are copying cross-region or not. In your case, it appears you are only copying cross-account.

It's a great catch! But the fix may be a bit more complicated. I'd want to make I do not break cross-account + cross-region.

Thanks!

ghost commented 4 years ago

I had a hunch it was something like this. Ironically, my actual future use case is cross account + cross region (for full DR protection) -- I was merely testing in the meantime with the cross-account only use case. I think a generalised fix makes sense though of course!

BTW, thanks for this project -- it is EXACTLY what I was looking for. It's the moon-on-a-stick for me :-)

On 13 Feb 2020, at 13:59, mrcoronel notifications@github.com<mailto:notifications@github.com> wrote:

Hi Karl, I see what you mean... I suppose the behaviour should be different whether you are copying cross-region or not. In your case, it appears you are only copying cross-account.

It's a great catch! But the fix may be a bit more complicated. I'd want to make I do not break cross-account + cross-region.

Thanks!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/awslabs/rds-snapshot-tool/issues/60?email_source=notifications&email_token=ALQENMG6UWIG57EYZP36B3LRCURZHA5CNFSM4KT2L5U2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELUJZOY#issuecomment-585669819, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ALQENMHXPO5PPLXJUVOZK3LRCURZHANCNFSM4KT2L5UQ.